fix: Fix spelling

This commit is contained in:
its0x08 2022-08-09 11:02:21 +02:00
parent 55c9689487
commit fc1f3b25a7
14 changed files with 174 additions and 135 deletions

View File

@ -20,9 +20,9 @@
- [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/) - [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/)
- [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting) - [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting)
- [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure) - [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure)
- [Pratical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis) - [Practical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
- [Pratical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging) - [Practical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
- [Pratical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking) - [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
- [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday) - [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday)
- [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering) - [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering)
- [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting) - [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting)

View File

@ -6,30 +6,41 @@
## Summary ## Summary
* [Tools](#tools) - [File Inclusion](#file-inclusion)
* [Basic LFI](#basic-lfi) - [Summary](#summary)
* [Null byte](#null-byte) - [Tools](#tools)
* [Double encoding](#double-encoding) - [Basic LFI](#basic-lfi)
* [UTF-8 encoding](#utf-8-encoding) - [Null byte](#null-byte)
* [Path and dot truncation](#path-and-dot-truncation) - [Double encoding](#double-encoding)
* [Filter bypass tricks](#filter-bypass-tricks) - [UTF-8 encoding](#utf-8-encoding)
* [Basic RFI](#basic-rfi) - [Path and dot truncation](#path-and-dot-truncation)
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers) - [Filter bypass tricks](#filter-bypass-tricks)
* [Wrapper php://filter](#wrapper-phpfilter) - [Basic RFI](#basic-rfi)
* [Wrapper zip://](#wrapper-zip) - [Null byte](#null-byte-1)
* [Wrapper data://](#wrapper-data) - [Double encoding](#double-encoding-1)
* [Wrapper expect://](#wrapper-expect) - [Bypass allow_url_include](#bypass-allow_url_include)
* [Wrapper input://](#wrapper-input) - [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
* [Wrapper phar://](#wrapper-phar) - [Wrapper php://filter](#wrapper-phpfilter)
* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd) - [Wrapper zip://](#wrapper-zip)
* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron) - [Wrapper data://](#wrapper-data)
* [LFI to RCE via upload](#lfi-to-rce-via-upload) - [Wrapper expect://](#wrapper-expect)
* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race) - [Wrapper input://](#wrapper-input)
* [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile) - [Wrapper phar://](#wrapper-phar)
* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo) - [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file) - [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions) - [LFI to RCE via upload](#lfi-to-rce-via-upload)
* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files) - [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
- [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
- [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
- [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
- [RCE via SSH](#rce-via-ssh)
- [RCE via Mail](#rce-via-mail)
- [RCE via Apache logs](#rce-via-apache-logs)
- [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
- [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
- [Windows version](#windows-version)
- [Linux version](#linux-version)
- [References](#references)
## Tools ## Tools
@ -444,4 +455,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) * [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
* [PHP LFI to arbitratry code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376) * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)

View File

@ -5,19 +5,22 @@
## Summary ## Summary
* [Tools](#tools) - [GraphQL injection](#graphql-injection)
* [Exploit](#exploit) - [Summary](#summary)
* [Identify an injection point](#identify-an-injection-point) - [Tools](#tools)
* [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection) - [Exploit](#exploit)
* [Extract data](#extract-data) - [Identify an injection point](#identify-an-injection-point)
* [Extract data using edges/nodes](#extract-data-using-edges-nodes) - [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection)
* [Extract data using projections](#extract-data-using-projections) - [List path](#list-path)
* [Enumerate the types' definition](#enumerate-the-type-definition) - [Extract data](#extract-data)
* [Use mutations](#use-mutations) - [Extract data using edges/nodes](#extract-data-using-edgesnodes)
* [NOSQL injection](#nosql-injection) - [Extract data using projections](#extract-data-using-projections)
* [SQL injection](#sql-injection) - [Enumerate the types' definition](#enumerate-the-types-definition)
* [GraphQL Batching Attacks](#graphql-batching-attacks) - [Use mutations](#use-mutations)
* [References](#references) - [NOSQL injection](#nosql-injection)
- [SQL injection](#sql-injection)
- [GraphQL Batching Attacks](#graphql-batching-attacks)
- [References](#references)
## Tools ## Tools

View File

@ -3,7 +3,7 @@
## Summary ## Summary
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value&param1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurance, some taking the last occurance, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms. HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value&param1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
## Tools ## Tools
@ -22,7 +22,7 @@ Origin Service - Reads second param. In this scenario, developer trusted WAF and
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.) Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
``` ```
### Table of refence for which technology reads which parameter ### Table of reference for which technology reads which parameter
When ?par1=a&par1=b When ?par1=a&par1=b
| Technology | Parsing Result |outcome (par1=)| | Technology | Parsing Result |outcome (par1=)|
| ------------------ |--------------- |:-------------:| | ------------------ |--------------- |:-------------:|
@ -41,7 +41,7 @@ When ?par1=a&par1=b
| IBM HTTP Server |First occurrence |a | | IBM HTTP Server |First occurrence |a |
| Perl CGI/Apache |First occurrence |a | | Perl CGI/Apache |First occurrence |a |
| mod_wsgi (Python)/Apache |First occurrence |a | | mod_wsgi (Python)/Apache |First occurrence |a |
| Python/Zope |All occurences in array |['a','b'] | | Python/Zope |All occurrences in array |['a','b'] |
## References ## References
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/) - [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)

View File

@ -4,17 +4,20 @@
## Summary ## Summary
- [Tools](#tools) - [JWT - JSON Web Token](#jwt---json-web-token)
- [JWT Format](#jwt-format) - [Summary](#summary)
- [Tools](#tools)
- [JWT Format](#jwt-format)
- [Header](#header) - [Header](#header)
- [Payload](#payload) - [Payload](#payload)
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm) - [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256) - [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
- [Breaking JWT's secret](#breaking-jwts-secret) - [Breaking JWT's secret](#breaking-jwts-secret)
- [JWT Tool](#jwt-tool) - [JWT tool](#jwt-tool)
- [JWT cracker](#jwt-cracker) - [JWT cracker](#jwt-cracker)
- [Hashcat](#hashcat) - [Hashcat](#hashcat)
- [References](#references) - [CVE](#cve)
- [References](#references)
## Tools ## Tools
@ -241,7 +244,7 @@ Please select an option from above (1-4):
Please enter the known key: Please enter the known key:
> secret > secret
Please enter the keylength: Please enter the key length:
[1] HMAC-SHA256 [1] HMAC-SHA256
[2] HMAC-SHA384 [2] HMAC-SHA384
[3] HMAC-SHA512 [3] HMAC-SHA512

View File

@ -1,15 +1,17 @@
# Open URL Redirection # Open URL Redirection
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access. > Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access.
## Summary ## Summary
- [Exploitation](#exploitation) - [Open URL Redirection](#open-url-redirection)
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx) - [Summary](#summary)
- [Fuzzing](#fuzzing) - [Exploitation](#exploitation)
- [Filter Bypass](#filter-bypass) - [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
- [Common injection parameters](#common-injection-parameters) - [Fuzzing](#fuzzing)
- [References](#references) - [Filter Bypass](#filter-bypass)
- [Common injection parameters](#common-injection-parameters)
- [References](#references)
## Exploitation ## Exploitation
@ -25,7 +27,7 @@ What happens if we change the `famous-website.tld/account` to `evil-website.tld`
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
``` ```
By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials. By visiting this url, if we get redirected to `evil-website.tld` after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
## HTTP Redirection Status Code - 3xx ## HTTP Redirection Status Code - 3xx

View File

@ -4,9 +4,12 @@
## Summary ## Summary
* [Tools](#tools) - [Race Condition](#race-condition)
* [Turbo Intruder Examples](#turbo-intruder-examples) - [Summary](#summary)
* [References](#references) - [Tools](#tools)
- [Turbo Intruder Examples](#turbo-intruder-examples)
- [Turbo Intruder 2 Requests Examples](#turbo-intruder-2-requests-examples)
- [References](#references)
## Tools ## Tools
@ -42,7 +45,7 @@
4. Click "Attack" 4. Click "Attack"
## Turbo Intruder 2 Requests Examples ## Turbo Intruder 2 Requests Examples
This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds. This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
```python ```python
def queueRequests(target, wordlists): def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint, engine = RequestEngine(endpoint=target.endpoint,

View File

@ -6,7 +6,7 @@ Attempting to manipulate SQL queries may have goals including:
- Information Leakage - Information Leakage
- Disclosure of stored data - Disclosure of stored data
- Manipulation of stored data - Manipulation of stored data
- Bypassing authorisation controls - Bypassing authorization controls
## Summary ## Summary

View File

@ -4,59 +4,74 @@
## Summary ## Summary
* [Tools](#tools) - [Templates Injections](#templates-injections)
* [Methodology](#methodology) - [Summary](#summary)
* [ASP.NET Razor](#aspnet-razor) - [Tools](#tools)
* [Basic injection](#aspnet-razor---basic-injection) - [Methodology](#methodology)
* [Command execution](#aspnet-razor---command-execution) - [ASP.NET Razor](#aspnet-razor)
* [Expression Language EL](#expression-language-el) - [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
* [Basic injection](#expression-language-el---basic-injection) - [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
* [Code execution](#expression-language-el---code-execution) - [Expression Language EL](#expression-language-el)
* [Freemarker](#freemarker) - [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
* [Basic injection](#freemarker---basic-injection) - [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
* [Code execution](#freemarker---code-execution) - [Expression Language EL - Code Execution](#expression-language-el---code-execution)
* [Groovy](#groovy) - [Freemarker](#freemarker)
* [Basic injection](#groovy---basic-injection) - [Freemarker - Basic injection](#freemarker---basic-injection)
* [Read/Create file](#groovy---read-and-create-file) - [Freemarker - Read File](#freemarker---read-file)
* [HTTP Request](#groovy---http-request) - [Freemarker - Code execution](#freemarker---code-execution)
* [Command execution](#groovy---command-execution) - [Freemarker - Sandbox bypass](#freemarker---sandbox-bypass)
* [Sandbox bypass](#groovy---sandbox-bypass) - [Groovy](#groovy)
* [Handlebars](#handlebars) - [Groovy - Basic injection](#groovy---basic-injection)
* [Jade / Codepen](#jade--codepen) - [Groovy - Read and create File](#groovy---read-and-create-file)
* [Java](#java) - [Groovy - HTTP request:](#groovy---http-request)
* [Basic injection](#java---basic-injection) - [Groovy - Command Execution](#groovy---command-execution)
* [Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables) - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
* [Retrieve /etc/passwd](#java---retrieve-etcpasswd) - [Handlebars](#handlebars)
* [Jinja2](#jinja2) - [Handlebars - Command Execution](#handlebars---command-execution)
* [Basic injection](#jinja2---basic-injection) - [Jade / Codepen](#jade--codepen)
* [Template format](#jinja2---template-format) - [Java](#java)
* [Debug Statement](#jinja2---debug-statement) - [Java - Basic injection](#java---basic-injection)
* [Dump all used classes](#jinja2---dump-all-used-classes) - [Java - Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables)
* [Dump all config variables](#jinja2---dump-all-config-variables) - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
* [Read remote file](#jinja2---read-remote-file) - [Jinja2](#jinja2)
* [Write into remote file](#jinja2---write-into-remote-file) - [Jinja2 - Basic injection](#jinja2---basic-injection)
* [Remote Code Execution](#jinja2---remote-code-execution) - [Jinja2 - Template format](#jinja2---template-format)
* [Filter bypass](#jinja2---filter-bypass) - [Jinja2 - Debug Statement](#jinja2---debug-statement)
* [Jinjava](#jinjava) - [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
* [Basic injection](#jinjava---basic-injection) - [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
* [Command execution](#jinjava---command-execution) - [Jinja2 - Read remote file](#jinja2---read-remote-file)
* [Lessjs](#lessjs) - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
* [Mako](#mako) - [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
* [Pebble](#pebble) - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
* [Basic injection](#pebble---basic-injection) - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
* [Code execution](#pebble---code-execution) - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
* [Ruby](#ruby) - [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
* [Basic injections](#ruby---basic-injections) - [Jinja2 - Filter bypass](#jinja2---filter-bypass)
* [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd) - [Jinjava](#jinjava)
* [List files and directories](#ruby---list-files-and-directories) - [Jinjava - Basic injection](#jinjava---basic-injection)
* [Smarty](#smarty) - [Jinjava - Command execution](#jinjava---command-execution)
* [Twig](#twig) - [Lessjs](#lessjs)
* [Basic injection](#twig---basic-injection) - [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
* [Template format](#twig---template-format) - [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
* [Arbitrary File Reading](#twig---arbitrary-file-reading) - [Plugins](#plugins)
* [Code execution](#twig---code-execution) - [Mako](#mako)
* [Velocity](#velocity) - [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
* [References](#references) - [Pebble](#pebble)
- [Pebble - Basic injection](#pebble---basic-injection)
- [Pebble - Code execution](#pebble---code-execution)
- [Ruby](#ruby)
- [Ruby - Basic injections](#ruby---basic-injections)
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
- [Ruby - List files and directories](#ruby---list-files-and-directories)
- [Ruby - Code execution](#ruby---code-execution)
- [Smarty](#smarty)
- [Twig](#twig)
- [Twig - Basic injection](#twig---basic-injection)
- [Twig - Template format](#twig---template-format)
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
- [Twig - Code execution](#twig---code-execution)
- [Velocity](#velocity)
- [References](#references)
## Tools ## Tools
@ -130,7 +145,7 @@ ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".g
#{session.getAttribute("rtc").setAccessible(true)} #{session.getAttribute("rtc").setAccessible(true)}
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")} #{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
// Method using processbuilder // Method using process builder
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())} ${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
${request.getAttribute("c").add("cmd.exe")} ${request.getAttribute("c").add("cmd.exe")}
${request.getAttribute("c").add("/k")} ${request.getAttribute("c").add("/k")}

View File

@ -61,7 +61,7 @@ If we can make the calculated hash string Zero-like, and provide "0" in the $coo
``` ```
We have control over 3 elements in the cookie: We have control over 3 elements in the cookie:
- $username - username you are targetting, probably "admin" - $username - username you are targeting, probably "admin"
- $hmac - the provided hash, "0" - $hmac - the provided hash, "0"
- $expiration - a UNIX timestamp, must be in the future - $expiration - a UNIX timestamp, must be in the future
@ -104,5 +104,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
## References ## References
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/) * [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) * [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)

View File

@ -26,7 +26,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
## Methodology 2 ## Methodology 2
1. Find an unkeyed input for a Cache Poisoning 1. Find an un-keyed input for a Cache Poisoning
```js ```js
Values: User-Agent Values: User-Agent
Values: Cookie Values: Cookie
@ -37,7 +37,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
Header: X-Original-URL (Symfony) Header: X-Original-URL (Symfony)
Header: X-Rewrite-URL (Symfony) Header: X-Rewrite-URL (Symfony)
``` ```
2. Cache poisoning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website) 2. Cache poisoning attack - Example for `X-Forwarded-Host` un-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
```js ```js
GET /test?buster=123 HTTP/1.1 GET /test?buster=123 HTTP/1.1
Host: target.com Host: target.com

View File

@ -1,19 +1,21 @@
# XSLT Injection # XSLT Injection
> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code > Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
## Summary ## Summary
- [Tools](#tools) - [XSLT Injection](#xslt-injection)
- [Exploit](#exploit) - [Summary](#summary)
- [Determine the vendor and version](#determine-the-vendor-and-version) - [Tools](#tools)
- [External Entity](#external-entity) - [Exploit](#exploit)
- [Read files and SSRF using document](#read-files-and-ssrf-using-document) - [Determine the vendor and version](#determine-the-vendor-and-version)
- [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks) - [External Entity](#external-entity)
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper) - [Read files and SSRF using document](#read-files-and-ssrf-using-document)
- [Remote Code Execution with Java](#remote-code-execution-with-java) - [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
- [References](#references) - [Remote Code Execution with Java](#remote-code-execution-with-java)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
- [References](#references)
## Tools ## Tools

View File

@ -25,7 +25,7 @@ Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
Explanation of the vulnerability Explanation of the vulnerability
> The Meta element forces IEs document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert. > The Meta element forces IEs document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks theres another directory but the actual request is being sent to the document and that in essence is how an RPO attack works. > A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks theres another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php` Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`